Date
July 22, 2025, 5:13 a.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 32.420033] ================================================================== [ 32.420100] BUG: KASAN: use-after-free in mempool_uaf_helper+0x314/0x340 [ 32.420170] Read of size 1 at addr fff00000c9ba0000 by task kunit_try_catch/264 [ 32.420220] [ 32.420260] CPU: 1 UID: 0 PID: 264 Comm: kunit_try_catch Tainted: G B W N 6.16.0-rc7-next-20250722 #1 PREEMPT [ 32.420353] Tainted: [B]=BAD_PAGE, [W]=WARN, [N]=TEST [ 32.420383] Hardware name: linux,dummy-virt (DT) [ 32.420415] Call trace: [ 32.420439] show_stack+0x20/0x38 (C) [ 32.420500] dump_stack_lvl+0x8c/0xd0 [ 32.420556] print_report+0x118/0x5e8 [ 32.420617] kasan_report+0xdc/0x128 [ 32.420668] __asan_report_load1_noabort+0x20/0x30 [ 32.420717] mempool_uaf_helper+0x314/0x340 [ 32.420762] mempool_page_alloc_uaf+0xc0/0x118 [ 32.420823] kunit_try_run_case+0x170/0x3f0 [ 32.421538] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.421615] kthread+0x328/0x630 [ 32.421740] ret_from_fork+0x10/0x20 [ 32.421877] [ 32.421978] The buggy address belongs to the physical page: [ 32.422066] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x109ba0 [ 32.422271] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 32.422369] raw: 0bfffe0000000000 0000000000000000 dead000000000122 0000000000000000 [ 32.422807] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 32.422903] page dumped because: kasan: bad access detected [ 32.422981] [ 32.423108] Memory state around the buggy address: [ 32.423241] fff00000c9b9ff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 32.423299] fff00000c9b9ff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 32.423540] >fff00000c9ba0000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 32.423758] ^ [ 32.423900] fff00000c9ba0080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 32.423998] fff00000c9ba0100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 32.424384] ================================================================== [ 32.363906] ================================================================== [ 32.364151] BUG: KASAN: use-after-free in mempool_uaf_helper+0x314/0x340 [ 32.364351] Read of size 1 at addr fff00000c9ba0000 by task kunit_try_catch/260 [ 32.364425] [ 32.364481] CPU: 1 UID: 0 PID: 260 Comm: kunit_try_catch Tainted: G B W N 6.16.0-rc7-next-20250722 #1 PREEMPT [ 32.364572] Tainted: [B]=BAD_PAGE, [W]=WARN, [N]=TEST [ 32.364599] Hardware name: linux,dummy-virt (DT) [ 32.364841] Call trace: [ 32.364878] show_stack+0x20/0x38 (C) [ 32.364997] dump_stack_lvl+0x8c/0xd0 [ 32.365054] print_report+0x118/0x5e8 [ 32.365105] kasan_report+0xdc/0x128 [ 32.365147] __asan_report_load1_noabort+0x20/0x30 [ 32.365332] mempool_uaf_helper+0x314/0x340 [ 32.365583] mempool_kmalloc_large_uaf+0xc4/0x120 [ 32.366004] kunit_try_run_case+0x170/0x3f0 [ 32.366146] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.366334] kthread+0x328/0x630 [ 32.366411] ret_from_fork+0x10/0x20 [ 32.366607] [ 32.366640] The buggy address belongs to the physical page: [ 32.366688] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x109ba0 [ 32.366776] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 32.366860] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 32.366914] page_type: f8(unknown) [ 32.366978] raw: 0bfffe0000000040 0000000000000000 dead000000000122 0000000000000000 [ 32.367029] raw: 0000000000000000 0000000000000000 00000000f8000000 0000000000000000 [ 32.367086] head: 0bfffe0000000040 0000000000000000 dead000000000122 0000000000000000 [ 32.367141] head: 0000000000000000 0000000000000000 00000000f8000000 0000000000000000 [ 32.367191] head: 0bfffe0000000002 ffffc1ffc326e801 00000000ffffffff 00000000ffffffff [ 32.367245] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 [ 32.367291] page dumped because: kasan: bad access detected [ 32.367330] [ 32.367347] Memory state around the buggy address: [ 32.367388] fff00000c9b9ff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 32.367430] fff00000c9b9ff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 32.367494] >fff00000c9ba0000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 32.367532] ^ [ 32.367559] fff00000c9ba0080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 32.367602] fff00000c9ba0100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 32.367655] ==================================================================
[ 26.705081] ================================================================== [ 26.705508] BUG: KASAN: use-after-free in mempool_uaf_helper+0x392/0x400 [ 26.706150] Read of size 1 at addr ffff88810588c000 by task kunit_try_catch/281 [ 26.706813] [ 26.707056] CPU: 1 UID: 0 PID: 281 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc7-next-20250722 #1 PREEMPT(voluntary) [ 26.707110] Tainted: [B]=BAD_PAGE, [N]=TEST [ 26.707125] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 26.707149] Call Trace: [ 26.707163] <TASK> [ 26.707190] dump_stack_lvl+0x73/0xb0 [ 26.707222] print_report+0xd1/0x640 [ 26.707246] ? __virt_addr_valid+0x1db/0x2d0 [ 26.707271] ? mempool_uaf_helper+0x392/0x400 [ 26.707294] ? kasan_addr_to_slab+0x11/0xa0 [ 26.707315] ? mempool_uaf_helper+0x392/0x400 [ 26.707339] kasan_report+0x141/0x180 [ 26.707363] ? mempool_uaf_helper+0x392/0x400 [ 26.707390] __asan_report_load1_noabort+0x18/0x20 [ 26.707415] mempool_uaf_helper+0x392/0x400 [ 26.707438] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 26.707508] ? finish_task_switch.isra.0+0x153/0x700 [ 26.707537] mempool_page_alloc_uaf+0xed/0x140 [ 26.707563] ? __pfx_mempool_page_alloc_uaf+0x10/0x10 [ 26.707590] ? __pfx_mempool_alloc_pages+0x10/0x10 [ 26.707616] ? __pfx_mempool_free_pages+0x10/0x10 [ 26.707643] ? __pfx_read_tsc+0x10/0x10 [ 26.707666] ? ktime_get_ts64+0x86/0x230 [ 26.707692] kunit_try_run_case+0x1a5/0x480 [ 26.707719] ? __pfx_kunit_try_run_case+0x10/0x10 [ 26.707742] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 26.707768] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 26.707794] ? __kthread_parkme+0x82/0x180 [ 26.707815] ? preempt_count_sub+0x50/0x80 [ 26.707850] ? __pfx_kunit_try_run_case+0x10/0x10 [ 26.707875] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 26.707900] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 26.707924] kthread+0x337/0x6f0 [ 26.707945] ? trace_preempt_on+0x20/0xc0 [ 26.707970] ? __pfx_kthread+0x10/0x10 [ 26.707991] ? _raw_spin_unlock_irq+0x47/0x80 [ 26.708015] ? calculate_sigpending+0x7b/0xa0 [ 26.708039] ? __pfx_kthread+0x10/0x10 [ 26.708061] ret_from_fork+0x116/0x1d0 [ 26.708081] ? __pfx_kthread+0x10/0x10 [ 26.708102] ret_from_fork_asm+0x1a/0x30 [ 26.708133] </TASK> [ 26.708145] [ 26.716028] The buggy address belongs to the physical page: [ 26.716217] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10588c [ 26.716552] flags: 0x200000000000000(node=0|zone=2) [ 26.716977] raw: 0200000000000000 0000000000000000 dead000000000122 0000000000000000 [ 26.717320] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 26.717653] page dumped because: kasan: bad access detected [ 26.718015] [ 26.718125] Memory state around the buggy address: [ 26.718384] ffff88810588bf00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 26.718883] ffff88810588bf80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 26.719224] >ffff88810588c000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 26.719513] ^ [ 26.719689] ffff88810588c080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 26.720025] ffff88810588c100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 26.720328] ================================================================== [ 26.641536] ================================================================== [ 26.642102] BUG: KASAN: use-after-free in mempool_uaf_helper+0x392/0x400 [ 26.642469] Read of size 1 at addr ffff8881061a8000 by task kunit_try_catch/277 [ 26.642779] [ 26.642877] CPU: 0 UID: 0 PID: 277 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc7-next-20250722 #1 PREEMPT(voluntary) [ 26.642928] Tainted: [B]=BAD_PAGE, [N]=TEST [ 26.642942] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 26.642964] Call Trace: [ 26.642978] <TASK> [ 26.642993] dump_stack_lvl+0x73/0xb0 [ 26.643021] print_report+0xd1/0x640 [ 26.643045] ? __virt_addr_valid+0x1db/0x2d0 [ 26.643068] ? mempool_uaf_helper+0x392/0x400 [ 26.643091] ? kasan_addr_to_slab+0x11/0xa0 [ 26.643112] ? mempool_uaf_helper+0x392/0x400 [ 26.643135] kasan_report+0x141/0x180 [ 26.643158] ? mempool_uaf_helper+0x392/0x400 [ 26.643617] __asan_report_load1_noabort+0x18/0x20 [ 26.643645] mempool_uaf_helper+0x392/0x400 [ 26.643670] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 26.643697] ? finish_task_switch.isra.0+0x153/0x700 [ 26.643723] mempool_kmalloc_large_uaf+0xef/0x140 [ 26.643747] ? __pfx_mempool_kmalloc_large_uaf+0x10/0x10 [ 26.643774] ? __pfx_mempool_kmalloc+0x10/0x10 [ 26.643798] ? __pfx_mempool_kfree+0x10/0x10 [ 26.643824] ? __pfx_read_tsc+0x10/0x10 [ 26.643860] ? ktime_get_ts64+0x86/0x230 [ 26.643884] kunit_try_run_case+0x1a5/0x480 [ 26.643910] ? __pfx_kunit_try_run_case+0x10/0x10 [ 26.643933] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 26.643961] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 26.643987] ? __kthread_parkme+0x82/0x180 [ 26.644008] ? preempt_count_sub+0x50/0x80 [ 26.644031] ? __pfx_kunit_try_run_case+0x10/0x10 [ 26.644056] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 26.644080] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 26.644104] kthread+0x337/0x6f0 [ 26.644125] ? trace_preempt_on+0x20/0xc0 [ 26.644149] ? __pfx_kthread+0x10/0x10 [ 26.644179] ? _raw_spin_unlock_irq+0x47/0x80 [ 26.644204] ? calculate_sigpending+0x7b/0xa0 [ 26.644228] ? __pfx_kthread+0x10/0x10 [ 26.644251] ret_from_fork+0x116/0x1d0 [ 26.644270] ? __pfx_kthread+0x10/0x10 [ 26.644292] ret_from_fork_asm+0x1a/0x30 [ 26.644323] </TASK> [ 26.644334] [ 26.654571] The buggy address belongs to the physical page: [ 26.654804] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1061a8 [ 26.655134] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 26.655813] flags: 0x200000000000040(head|node=0|zone=2) [ 26.656162] page_type: f8(unknown) [ 26.656483] raw: 0200000000000040 0000000000000000 dead000000000122 0000000000000000 [ 26.656843] raw: 0000000000000000 0000000000000000 00000000f8000000 0000000000000000 [ 26.657322] head: 0200000000000040 0000000000000000 dead000000000122 0000000000000000 [ 26.657768] head: 0000000000000000 0000000000000000 00000000f8000000 0000000000000000 [ 26.658361] head: 0200000000000002 ffffea0004186a01 00000000ffffffff 00000000ffffffff [ 26.658933] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 [ 26.659420] page dumped because: kasan: bad access detected [ 26.659754] [ 26.659993] Memory state around the buggy address: [ 26.660278] ffff8881061a7f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 26.660700] ffff8881061a7f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 26.661130] >ffff8881061a8000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 26.661417] ^ [ 26.661580] ffff8881061a8080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 26.662295] ffff8881061a8100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 26.662776] ==================================================================